The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant advancement in India’s approach to personal data protection and privacy. Central to this new legislation is the concept of a Consent Manager Framework. This innovative structure is designed to strike a balance between empowering individuals with control over their personal data and providing organizations with clear guidelines for data protection.
The Need for Consent Managers
Consent managers arise from the necessity to uphold the foundational principle of the notice and consent framework in data processing. This concept, rooted in the individual’s right to consent to actions concerning their data, was emphasized by the B.N. Srikrishna Committee, leading to the integration of Consent Managers within India’s data protection framework.
Defining a Consent Manager
Under Section 2(g) of the DPDP Act, a Consent Manager is an entity registered with the Data Protection Board, acting as a central facilitator for Data Principals to manage their consent. This role can be performed in-house or outsourced, ensuring that digital consent management is effectively implemented within an organization.
Role and Objectives of Consent Managers
The DPDPA envisions Consent Managers as intermediaries between Data Fiduciaries and Data Principals. Their tasks include obtaining informed consent, recognizing consent withdrawal, and maintaining records of consent. By managing these processes, Consent Managers play a crucial role in preventing unauthorized data collection and ensuring transparency and control over personal data.
Actions for Data Fiduciary to build mechanism for Consent Management:
- Ensure the accuracy and completeness of data
- To provide notice to data principals regarding data being processed and purpose for the same
- Notice should be easily understandable and must be in multiple languages
- Discover efficient ways to notify users about data processed before via email/app alerts.
- Make users aware regarding their rights and duties and to make complaints
- Build agreements to have Free, Explicit, Specific, Informed, Unambiguous & Unconditional consent with Clear Affirmative Action
- For Children below 18 years of age, or Individual with Disability consent will be provided by the parent or the legal guardian.
- Erase personal data as soon as the purpose has been met
- In case of breach have mechanism to timely inform Data Protection Board and Affected Individual
Role of Consent Manager:
- The Data Principal may Give, Manage, Review or Withdraw her consent to the Data Fiduciary through a Consent Manager
- Consent Manager is responsible for acting on behalf of and being accountable to the Data Principal as prescribed.
- Consent Manager shall be registered with the Board with subject to such Technical, Operational, Financial adhering to prescribed conditions.
- Data Fiduciary is responsible to prove Notice & Consent.
Rights & Duties of Data Principals:
- Right to Grievance Redressal: The data fiduciary & consent manager must respond to grievance of Data Principal within a prescribed time frame.
- Right to Nominate: Nominate any other individual, who shall, in the event of death or incapacity of data principal, exercise the rights of the data principal
- Right to Access Information: Seek information about processed data and information in case shared with other data fiduciaries or processors.
- Right to Seek Correction: Data Principal can reach out to Data Fiduciary in order to exercise their right to correct, complete, update and erasure of their personal data
- Right to Withdraw consent: Data principals have the right to crease processing by withdrawing their consent. The process will be facilitated by consent manager.
The advent of the Digital Personal Data Protection Act (DPDPA) marks a pivotal moment for the Banking, Financial Services, and Insurance (BFSI) sector, underscoring the imperative of safeguarding personal data in an increasingly digitized landscape. This legislation imposes rigorous measures and obligations on BFSI organizations, emphasizing the secure management of the personal data they collect, store, and process.
Given the BFSI industry’s substantial volume of customer data, proactive compliance with the DPDPA becomes paramount. To this end, a set of concise directives takes center stage, guiding BFSI entities in aligning their practices with the DPDPA’s principles. These directives span critical areas, including consent management and cybersecurity, facilitating the sector’s adept navigation of data protection complexities and the maintenance of trust among its esteemed customers.
Comparison with Other Legal Provisions
A current source of debate centers around the role of Consent Managers as defined under different legal provisions, notably comparing the Consent Manager under the DPDPA (Data Protection and Privacy Act) with those in the National Digital Health Mission and the RBI’s Account Aggregator project (AAF).
Under Section 6(9) of the DPDP Act, it is stipulated that every Consent Manager must undergo registration with the Board and adhere to prescribed technical, operational, financial, and other conditions. This clearly indicates that under the DPDP Act, a Consent Manager functions as a Data Fiduciary, encompassing more than just a technological role. While they may utilize a technology platform, they are considered a distinct entity with public visibility. Conversely, the Consent Manager within the AAF primarily functions as a pure technology platform, akin to an Internet Service Provider, without bearing the same responsibilities towards the public.
Legally speaking, the Consent Manager in the AAF is categorized as an intermediary, whereas the Consent Manager under the DPDPA is designated as a Data Fiduciary, entailing specific obligations as outlined in the DPDPA. This distinction raises questions about whether there is any form of visible disclosure from the data principal to the Consent Manager. In the case of the Consent Manager platform under AAF, it can be configured in a manner where the identity of the Consent Manager remains inaccessible to individuals. Consequently, such a platform may not be subject to the responsibilities laid out in the DPDPA for a data fiduciary.
FAQs
1. What is a Consent Manager under the Digital Personal Data Protection Act, 2023?
A Consent Manager, as defined in the DPDP Act, is a registered entity with the Data Protection Board. They act as an intermediary between the Data Principal (the individual whose data is being processed) and the Data Fiduciary (the entity processing the data). Their role is to facilitate the process of giving, managing, reviewing, and withdrawing consent for data processing through an accessible and transparent platform.
2. Why are Consent Managers important in data protection?
Consent Managers are crucial because they ensure that the process of obtaining and managing consent for data processing is transparent, informed, and user-friendly. They help in upholding the individual’s right to privacy and control over their personal data, which is a fundamental aspect of the DPDP Act. By managing consents effectively, they also aid organizations in adhering to legal requirements and maintaining trust with their users.
3. How do Consent Managers differ from traditional methods of managing consent?
Traditional consent management often involves disparate and manual processes, lacking in transparency and accessibility. Consent Managers, on the other hand, provide a centralized, automated, and user-friendly platform that streamlines the consent process. They ensure that consents are obtained in a legally compliant manner, are easy to manage and track, and offer the Data Principal clarity and control over how their data is used.
4. Can an organization act as its own Consent Manager?
Yes, an organization can act as its own Consent Manager, provided it registers with the Data Protection Board and meets the requirements set out in the DPDP Act. However, organizations can also choose to outsource this function to third-party service providers who specialize in consent management. The key is that whether in-house or outsourced, the Consent Manager must comply with the legal, technical, and operational standards prescribed by the Act.
5. What happens if a Data Principal withdraws their consent through a Consent Manager?
When a Data Principal withdraws their consent using a Consent Manager, the Data Fiduciary must cease the processing of the individual’s personal data for the purposes for which consent was withdrawn. The Consent Manager plays a critical role in ensuring that this withdrawal is communicated effectively to the Data Fiduciary and that the data processing activities are adjusted accordingly in a timely manner. The Consent Manager also ensures that a record of this withdrawal is maintained for compliance and audit purposes.